Judge Says Plaintiff Can Proceed Against AT&T in $24M Hack Case

A federal judge has backed multiple claims against telecom giant AT&T for failing to secure the data of the victim of a $24 million cryptocurrency theft.

On Feb. 24, a California federal judge ruled that cryptocurrency investor Michael Terpin can proceed with his lawsuit against telecom corporation AT&T over a $24 million SIM hacking incident.

Terpin is arguing that an AT&T agent who was bribed by a criminal gang supplied data that allowed the hackers to steal $24 million worth of cryptocurrency in January 2018. Terpin is a prominent cryptocurrency investor who founded BitAngels in 2013.

On June 11, 2017, hackers were purportedly able to gain control of the investor’s phone number through a SIM swapping attack — allowing them to impersonate Terpin and convince one of his clients to send them cryptocurrency. 

After meeting with AT&T representatives during June 2017 to discuss the hack, Terpin’s account was placed on a “higher security level with special protection.”

On Jan. 7, 2018, Terpin’s phone was hacked for a second time, with the investor alleging that an AT&T employee facilitated the SIM swap. Terpin attempted to contact AT&T to cancel his telephone number, however, “AT&T failed to promptly cancel his account.” 

This resulted in the hackers using 2-Factor Authentication to reset the passwords for Terpin’s cryptocurrency wallets and steal $24 million in digital assets.

Three claims against AT&T upheld

Judge Otis Wright II dismissed 13 of the 16 claims brought against AT&T, however, he ruled that the telecoms giant must face statutory, contract, and tort damages claims. The court will also allow Terpin the opportunity to amend the rejected claims — except for a previously dismissed breach of implied contract claim.

Terpin intends to file a second amended complaint within three weeks to supplement his request for damages. The complaint will seek to demonstrate that AT&T was both aware of, and responsible for, “an ongoing sequence of cryptocurrency thefts due to SIM swaps dating back to well before Terpin’s hack.” Terpin stated:

“We look forward to demonstrating with compelling evidence the ‘advance knowledge and conscious disregard’ threshold by AT&T in its prior knowledge and ratification of ongoing SIM swaps causing economic loss.”

AT&T was aware of clients’ vulnerability to SIM hacking

The judge attributed the hack to AT&T providing “inadequate security measures to protect his SIM card.” Wright added that the telecom company is “morally culpable” through failing to prevent SIM swapping despite being “aware of the vulnerability of its customers” to the practice.

The court rejected AT&T’s motion to dismiss the claims, with the telecoms company claiming that Terpin had been unable to prove that he owned cryptocurrency or the precise method through which his crypto was stolen. Judge Wright concluded:

“The court finds this allegation adequate because Mr. Terpin alleges sufficient facts for the court to reasonably infer the hackers may have used [2-Factor Authentication] methods to glean Mr. Terpin’s personal information from various accounts, such as email or cloud storage.”

An AT&T representative stated that the company disputes the allegations and will continue to fight them in court.